The backend for the main download page at Floodgap has been altered such that the Downloader is now only offered to browsers that do not support TLS 1.2 (this is detected by checking for a particular JavaScript math function Math.hypot, the presence of which I discovered roughly correlates with TLS 1.2 support in Google Chrome, Microsoft Edge, Safari and Firefox/TenFourFox). This is to save bandwidth on our main server since those browsers are perfectly capable of downloading directly from SourceForge and don't need the Downloader to help them. This is also true of Leopard WebKit, assuming the Security framework update is also installed.
For FPR7, I have already exposed basic adblock in the TenFourFox preferences pane, and am looking at some efficiency updates as well as updates to the supported TLS ciphers and hopefully date pickers if there is still time. Also, the limited profiling tools I have at my disposal suggest that some of the browser's occasional choppiness is at least partially associated with improperly scheduled garbage collection slices. I'm experimenting with retuning the runtime environment to see if we can stave off some types of collection to preserve CPU cycles and not bloat peak memory usage too much. So far, 24 hours into testing with some guesswork numbers, it doesn't seem to be exploding. More on that later.
The following line is still visible on the main page:
ReplyDelete"* The TenFourFox Downloader requires a Power Mac running 10.4 or 10.5. Although the Downloader uses current encryption methods to download the browser, the Downloader itself is accessed over unencrypted HTTP. If you are in an environment where your network may be tampered with, we recommend using another computer for the initial download or manually verifying the download with cryptographic hashes."
This should also be hidden with the Downloader link otherwise that section of the page doesn't make sense.
C.K. I bet you could implement an OpenSSL160 validator in your downloader that simply checks the hash vs the checksome of the same name.
ReplyDeleteNow both items are insecure, but to face both would be much more difficult.
Sorry - Typo "But to fake both would be..."
ReplyDeleteExcellent work once again, Dr. Kaiser. TenFourFox is getting faster and faster with each release.
ReplyDeleteKeep it coming.
Are you using the final build? The build ID is different than the first one, and the final build has some security patches, so it is not the same.
ReplyDelete